Subscribe to this blog

Subscribe

[CyberSecurity Awareness Series] When George Got Whaled

The button clicked. An exact amount of 9,99,000 $ was transferred immediately to an offshore untraceable account. This triggered an alert on the bank’s server. The response team quickly swung into action. Suddenly multiple alerts came rushing in like a raging torrent. Multiple transactions of 9,99,000 $ started popping up on the screen. The response team immediately knew it was under attack and triggered the alarm bell, but by then it was rather too late.

3 Hours Earlier

It was a quiet afternoon and George was enjoying his cup of coffee. Looking outside his glass window, the view from the 22nd floor was amazing. The bank was doing well and the record quarterly profit cemented his position and power as the top man for the bank. George’s phone chimed. He quickly looked at it and smiled. The smile was palpable. The picture message sent made George bring back the memories of last night.

His smile continued and he logged on to his laptop. Due to the regulatory compliance and a freezing period, all major transactions were on hold. Since the declaration period was over yesterday, George was waiting for the go-ahead from the regulatory committee to lift the ban on high-value transactions. Before we go further, it would be nice to introduce the man here. George, a 37-year-old man with great looks and an MBA from the Ivy League was one of the youngest CEOs of the Elegant Bank Corp. Married to a beautiful wife, George was living a dream. Well, and sometimes, dreams do crash.

The mail came and as per process, George had to log in to the bank’s main server and confirm the process of allowing high-value transaction from the evening. He logged on to the bank’s server remotely using his credentials. He received an alert on his phone that the bank’s server is being accessed now. He had to enter a code on his RSA token and voila, it was done.

The Investigation

George received a call from the response team alerting him that multiple transactions were happening and it could be an attack. George panicked and for a moment he felt as if a white flash of light crossed his eyes. He gathered himself and tried logging in the bank’s server, but to his shock, he was logged out. He tried logging in again and the message said “Wrong Password”. He called up the response team only to find another shocking news. According to the response team, George had changed his password 2 hours earlier and had updated the access control list too. Only George and Mr. Rishabh, one of the boards of directors could access the bank’s server remotely.

George immediately called in an emergency meeting of the board of directors. He instructed the response team to take any measures to disable the bank’s servers. He also called in the law enforcement and explained to them about the situation.

Swipe Me In

The law enforcement took complete control of all the devices of the bank and started the forensic investigation. Meanwhile, the media had a field day as the news broke out in the morning that the Elegant bank had been hacked to the tune of 4.5 billion $. Funds transferred to the offshore accounts were untraceable and recovering the money was next to impossible. But what lead to this attack? Who could have cracked the high-level security deployed by the bank? The cyber security team of the bank was carrying out their own internal investigation too.

George was feeling miserable. He felt as if he had been torn apart. He took his mobile phone and logged onto the app “SwipeIt”. The user “FlowerAngel” was not accessible. That was strange for George. He checked it again, but the app said that the profile was no longer accessible. George was focused on understanding the problem when the desk phone rang.

The law enforcement agencies had come to meet George. They asked George to hand over his phone and also showed him the search warrant for his office and his home. The next day a story got published in the national daily which shocked quite a many.

The Night Before

The law enforcement agencies were quick to join the dots from the logs and George’s confession was the final confirmation. George had a terrible habit of meeting strangers through the SwipeIt app and spending the nights with them. You could find people nearby who wanted to enjoy and a person had to just swipe in to confirm that.

The night before, George met “Flower Angel”, a young 19-year-old girl. They instantly hit it off and ended up in the hotel nearby. While George was completely drunk, the girl had to just plug in the flash drive into his laptop. The Trojan installed itself on the laptop and the next day when George logged on to the bank’s server, the Trojan replicated his exact moves and gave complete control to the hacker. While there were other security aspects deployed by the bank to mitigate such threats , the technology alone cannot solve the problem when the password is known and complete admin privilges are available with a person of such a high stature.

This is an example of The Whaling attack. Top people are always on the radar of people having malicious intent. They need to be careful. As a cybersecurity professional, we also need to keep in mind such cases when developing a cybersecurity protection mechanism for the top management personnel.

What are your thoughts on this?

Reactions:

Get link

Facebook

Twitter

Pinterest

Email

Other Apps

Comments

You may also like to read...

You may read multiple posts on the various blogs and websites where you are given tips as to how to pass the exam in the first go, refer which books and solve which questions. In this blog post I’m not going to bombard you with those details. Instead, I’m going to share my journey and experience from preparing till passing the CISSP exam in the first attempt. What is CISSP? CISSP stands for Certified Information Systems Security Professional. Congratulations and all the very best to you, if you have decided to opt for the Gold Standard Certification. The exam is offered by ISC2 and contains around 250 questions. You have to book an appointment for the CISSP exam through the ISC2 website where you then redirected to a Pearson Vue website when you register for the exam. The exam costs around 599USD. Phase 1: Deciding It is very important for you to finalize which certification you want to do. Try to research the pros and cons of a certification. Do not just start preparing for a particular…

I wrote a blog post in the month of December where I detailed about the new CISSP CAT format being launched by the (ISC)2. The post gave details about the new exam – what would it be all about, what does the new exam mean for you and important points to consider. Well, since I had passed the exam way back in July, there was no way, I would decide to sit for this difficult exam again. Luckily, few of my friends gave the CISSP CAT exam and passed it, so I spoke to them to understand their experience with this new exam format and decided to write about it. So here it goes… The Study Material
The first question that comes to everyone’s mind is – Do I need to look for a new study material since the exam format has changed. The answer is NO. The CISSP study material remains the same. My friends referred to the following material, but this is not an exhaustive list in any way. My recommendation would be to stick to one particular book and get to know every word and line of it. It is extremel…

Systems Security Certified Practitioner (SSCP) exam is offered by (ISC)2. When I prepared for this exam, there was hardly any material for preparation or blog posts to help me understand the experience of this exam. In this blog post, I will try to explain to you how to study for this exam and the experience of this exam.
Before I begin, let me congratulate on your journey to becoming an SSCP. Although this certification may not be highly recognized as the CISSP certification, still it shows your employer and the world that you are really interested to pursue your career in this field. You become a practitioner in this field. What is SSCP?
You would like to read CISSP vs SSCP in case you want to have a comparison between the exams. SSCP is a 3-hour long examination having 125 questions. You are required to score a minimum of 700 out of 1000. 25 questions are not graded as they are research oriented questions. It is important to note that since these questions are not graded, you need …

Popular Posts

You may read multiple posts on the various blogs and websites where you are given tips as to how to pass the exam in the first go, refer which books and solve which questions. In this blog post I’m not going to bombard you with those details. Instead, I’m going to share my journey and experience from preparing till passing the CISSP exam in the first attempt. What is CISSP? CISSP stands for Certified Information Systems Security Professional. Congratulations and all the very best to you, if you have decided to opt for the Gold Standard Certification. The exam is offered by ISC2 and contains around 250 questions. You have to book an appointment for the CISSP exam through the ISC2 website where you then redirected to a Pearson Vue website when you register for the exam. The exam costs around 599USD. Phase 1: Deciding It is very important for you to finalize which certification you want to do. Try to research the pros and cons of a certification. Do not just start preparing for a particular…

I wrote a blog post in the month of December where I detailed about the new CISSP CAT format being launched by the (ISC)2. The post gave details about the new exam – what would it be all about, what does the new exam mean for you and important points to consider. Well, since I had passed the exam way back in July, there was no way, I would decide to sit for this difficult exam again. Luckily, few of my friends gave the CISSP CAT exam and passed it, so I spoke to them to understand their experience with this new exam format and decided to write about it. So here it goes… The Study Material
The first question that comes to everyone’s mind is – Do I need to look for a new study material since the exam format has changed. The answer is NO. The CISSP study material remains the same. My friends referred to the following material, but this is not an exhaustive list in any way. My recommendation would be to stick to one particular book and get to know every word and line of it. It is extremel…

Systems Security Certified Practitioner (SSCP) exam is offered by (ISC)2. When I prepared for this exam, there was hardly any material for preparation or blog posts to help me understand the experience of this exam. In this blog post, I will try to explain to you how to study for this exam and the experience of this exam.
Before I begin, let me congratulate on your journey to becoming an SSCP. Although this certification may not be highly recognized as the CISSP certification, still it shows your employer and the world that you are really interested to pursue your career in this field. You become a practitioner in this field. What is SSCP?
You would like to read CISSP vs SSCP in case you want to have a comparison between the exams. SSCP is a 3-hour long examination having 125 questions. You are required to score a minimum of 700 out of 1000. 25 questions are not graded as they are research oriented questions. It is important to note that since these questions are not graded, you need …

Disclaimer:

The views and opinions expressed herein are my own. They do NOT intend to represent the views or opinions of my employer or any other organization. Any information represented as fact are believed by me to be true, but I make no legal claim as to their certainty.